Lists of the year’s most popular bad passwords reveal cultural influences and a sense of dissatisfaction with online security itself.
Strings of consecutive numbers are an enduring and popular trend in bad passwords. "123456" topped SplashData’s list in 2016 and again in 2017.
The list of this year’s 25 “worst” passwords says a lot about us.
“Starwars” (No. 16) reflects a resurgent force in popular culture.
“Whatever” (No. 23) and “letmein” (No. 7) seem to speak to an exasperation with online security itself.
And “password” (No. 2) speaks to our collective lack of creativity.
They are among the 11 new entrants to the annual “worst passwords” list, compiled by SplashData, a company that creates applications for password management and security. The popularity and simplicity of those passwords pose risks for those who use them, the company said.
“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” Morgan Slain, SplashData’s chief executive, said in a news release. “Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online.”
The analysis was based on more than five million leaked passwords, most of them used by people in North America and Western Europe.
New entrants to the list this year included “iloveyou,” “monkey,” “hello,” “freedom,” “qazwsx” and “trustno1.”
Some, but not all, websites and services impose stringent requirements to prevent users from selecting insecure passwords.
Strong, effective passwords should be relatively long and unique, experts say. They can be meaningless strings of characters, numbers and punctuation or, as has become popular in recent years, full sentences that are easy to remember but hard to guess.
Password managers can also be used to help keep track of passwords for different websites and services.
While the SplashData list differs from those compiled by others, it reflects a theme common to such analyses: People often use strings of sequential numbers as their passwords.
As in 2016, “123456” led the SplashData list. The slightly more complex “12345678” ranked third and “12345” ranked fifth, followed by “123456789” in sixth place and “1234567” in eighth.
The company estimated that nearly 3 per cent of people have used the worst password on the list and almost 10 per cent have used one of the worst 25.
SplashData’s larger list of the 100 worst passwords reveals that popular choices include common names, such as “robert” (No. 31), “george” (No. 48) and “michelle” (No. 81). Years were popular passwords too — 1990 and 1991 were ranked 64th and 65th.
Sports references were also common. The 27th worst password was “jordan23,” an apparent reference to Michael Jordan and his famous jersey number. The 37th worst one was “lakers.”